* MFSA 2015-96/CVE-2015-4500
Miscellaneous memory safety hazards
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
CVE-2015-7180
Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
bmo#1190526) (Windows only)
Memory safety errors in libGLES in the ANGLE graphics library
- rebased patches
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=292
* MFSA 2015-79/CVE-2015-4473
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
Vulnerabilities found through code inspection
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
Use-after-free in XMLHttpRequest with shared workers
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=290
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
NSS incorrectly permits skipping of ServerKeyExchange
(this fix is shipped by NSS 3.19.1 externally)
- requires NSS 3.19.2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=287
* includes Lightning as default extension
- rebased patches
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-nullptr-gcc45.patch
* mozilla-bug1024492.patch
- dropped openSUSE specific patches
* thunderbird-shared-nss-db.patch
* mozilla-shared-nss-db.patch
the provided feature seems not to be used and its maintenance
is not worth the ongoing efforts
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=286
* based on Gecko 31
* Autocompleting email addresses now matches against any part of
the name or email
* Composing a mail to a newsgroup will now autocomplete newsgroup
names
* Insecure NTLM (pre-NTLMv2) authentication disabled
- rebased patches
- removed enigmail entirely from source package
- removed obsolete patches
* libffi-ppc64le.patch
* ppc64le-support.patch
* xpcom-ppc64le.patch
- use GStreamer 1.0 after 13.1
- switched source archives to use xz instead of bz2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=251
* MFSA 2014-34/CVE-2014-1518
Miscellaneous memory safety hazards
* MFSA 2014-37/CVE-2014-1523 (bmo#969226)
Out of bounds read while decoding JPG images
* MFSA 2014-38/CVE-2014-1524 (bmo#989183)
Buffer overflow when using non-XBL object as XBL
* MFSA 2014-42/CVE-2014-1529 (bmo#987003)
Privilege escalation through Web Notification API
* MFSA 2014-43/CVE-2014-1530 (bmo#895557)
Cross-site scripting (XSS) using history navigations
* MFSA 2014-44/CVE-2014-1531 (bmo#987140)
Use-after-free in imgLoader while resizing images
* MFSA 2014-46/CVE-2014-1532 (bmo#966006)
Use-after-free in nsHostResolver
- use shipped-locales as the authoritative source for supported
locales (some unsupported locales disappear from -other package)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=244
* fqdn for smtp server name was not accepted (bmo#913785)
* fixed crash in PL_strncasecmp (bmo#917955)
- update Enigmail to 1.6
* The passphrase timeout configuration in Enigmail is now read and
written from/to gpg-agent.
* New dialog to change the expiry date of keys
* New function to search for the OpenPGP keys of all Address Book
entries on a keyserver
* removed obsolete enigmail-build.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=227
* MFSA 2013-63/CVE-2013-1701
Miscellaneous memory safety hazards
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
Document URI misrepresentation and masquerading
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
CRMF requests allow for code execution and XSS attacks
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
Wrong principal used for validating URI for some Javascript
components
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
Same-origin bypass with web workers and XMLHttpRequest
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file system
- update Enigmail to 1.5.2
* bugfix release
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=220
Miscellaneous memory safety hazards
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
Memory corruption found using Address Sanitizer
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
Privileged content access and execution via XBL
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
Execution of unmapped memory through onreadystatechange event
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
Data in the body of XHR HEAD requests leads to CSRF attacks
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
SVG filters can lead to information disclosure
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
PreserveWrapper has inconsistent behavior
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
XrayWrappers can be bypassed to run user defined methods in a
privileged context
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=218
